Distributed network systems spread the processor resources and data across multiple computers in the network. Cloud computing technology has been developed to provide shared computer processing resources (e.g., network links, servers, storage, applications, etc.) and data to computers and other devices on demand. Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process their data in either privately owned, or third-party data centers to serve high numbers of client computer users. Multitenancy has become an important feature of cloud computing. In multi-tenant network environments, a single instance of an application runs on a server and serves multiple tenants. Multi-tenant systems provide every tenant a dedicated share of the software instance, including its data, configuration, user management, tenant-specific functionality, and other properties.
With large-scale distributed network environments in which many users or tenants share common resources stored in often virtual storage locations, it is absolutely vital to maintain data integrity and strict controlled access among the tenant to their own data and services. An authentication and authorization (AA) service is a multi-tenant component used to authenticate and authorize principals' access to data of various software components designated to serve multiple tenants. It enables logical separation between tenants' data within a single software component. This is key in a multi-tenant architecture in which a single instance of a software application serves multiple tenants to ensure that no tenant has unauthorized access to another tenant data. The AA Service may use the concept of “roles” and “tenants” to encapsulate these data access privileges through role based access control (RBAC). In general, RBAC is a policy-neutral access control mechanism that is defined around roles and privileges of personnel or departments within a company or organization. RBAC uses role permissions and user/role relationships to assign and enforce network access privileges within the organization.
Existing authentication mechanisms issue principals (requesters) a token, which is usually a meaningless hash value, on each successful authentication attempt. The token verification requires interaction with the server which has issued the token. This solution is not robust enough for distributed systems of software components since it generates performance bottlenecks and has single point of failure. What is needed, therefore, is a token verification system that is robust enough for distributed network environments and that minimizes bottlenecks and failure points.
The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.